SUPEE-5344 – Shoplift Bug Patch

This patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store. To determine if your store has been patched, see the Shoplift Bug Test. If your store is not protected, you must immediately download and install the appropriate patch for your version of Magento.

You can find more details on the vulnerability addressed by this patch below:

Remote code execution - APPSEC-921

Type:

Remote Code Execution

CVSSv3 Severity:

9.1 (Critical)

Known Attacks:

Yes

Description:

Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.

Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – February 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.

Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-5344). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.